Method and apparatus for combating malicious code

ABSTRACT

A method and apparatus are provided for combating malicious code. In one embodiment, a method for combating malicious code in a network includes implementing a leap-ahead technique to defend against the malicious code reaching a full saturation potential in the network, by sending alert messages to a group of peers, and reselecting the membership of that group from time to time.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of co-pending U.S. patent applicationSer. No. 11/230,419, filed Sep. 19, 2005, which in turn claims thebenefit of U.S. Provisional Patent Application Ser. No. 60/610,687,filed Sep. 17, 2004 and of U.S. Provisional Patent Application Ser. No.60/673,986, filed Apr. 21, 2005. All of these applications are hereinincorporated by reference in their entireties.

REFERENCE TO GOVERNMENT FUNDING

This invention was made with Government support under grant numberANI-0335299, awarded by the National Science Foundation. The Governmenthas certain rights in this invention.

FIELD OF THE INVENTION

The present invention relates generally to computer networks and relatesmore specifically to defending networks against malicious code.

BACKGROUND OF THE DISCLOSURE

In recent years, outbreaks of self-propagating malicious code (“worms”)have frequently plagued public networks, even penetrating intowell-protected enterprises. Worms have evolved from relatively rarenuisance applications into one of the most well-recognizedinformation-based global security threats. To combat this problem, therehas been a surge of research into developing techniques for recognizingworms and defending networks against emerging epidemics. To date,however, no single approach has proven completely effective incontaining the propagation of worms, as many different kinds of worms(e.g., variable speed random-scan worms, topology-based worms, etc.)employing many different kinds of infection strategies exist.

Thus, there is a need in the art for a method and apparatus forcombating malicious code.

SUMMARY OF THE INVENTION

A method and apparatus are provided for combating malicious code. In oneembodiment, a method for combating malicious code in a network includesimplementing a leap-ahead technique to defend against the malicious codereaching a full saturation potential in the network, by sending alertmessages to a group of peers, and reselecting the membership of thatgroup from time to time

BRIEF DESCRIPTION OF THE DRAWINGS

The teachings of the present invention can be readily understood byconsidering the following detailed description in conjunction with theaccompanying drawings, in which:

FIG. 1 is a flow diagram illustrating one embodiment of a method forcombating malicious code (e.g., worms), according to the presentinvention;

FIG. 2 is a flow diagram illustrating one embodiment of a second methodfor combating malicious code (e.g., worms), according to the presentinvention;

FIG. 3 is a flow diagram illustrating one embodiment of a method fordynamically constructing a filter to contain emerging worms, accordingto the present invention; and

FIG. 4 is a high level block diagram of the present method for wormcontainment that is implemented using a general purpose computingdevice.

To facilitate understanding, identical reference numerals have beenused, where possible, to designate identical elements that are common tothe figures.

DETAILED DESCRIPTION

In one embodiment, the present invention relates to a method andapparatus for combating malicious code (worms). The present inventionprovides improved containment and control of worm infections in anetwork by integrating complementary defense strategies both to slow thespread of worms and to prevent worms from reaching their full saturationpotential within the network.

FIG. 1 is a flow diagram illustrating one embodiment of a method 100 forcombating malicious code (e.g., worms), according to the presentinvention. The method 100 is initialized at step 102 and proceeds tostep 104, where the method 100 detects a worm in a computer network.

In step 106, the method 100 reacts to the detection of the worm byimplementing a resource-limiting defense strategy in parallel with aleap-ahead defense strategy.

A resource-limiting defense strategy is one that delays worm propagationby throttling or limiting access to resources that aggressive worms areknow to consume at high rates (e.g., a volume of outbound connections, arate of outbound connections). In one embodiment, the resource-limitingdefense strategy implemented in step 106 is a connection rate limitingstrategy that limits the number of outbound nodes that an internalmachine may contact per unit of time.

A leap-ahead defense strategy is one that relies on cooperativeinformation sharing (e.g., hierarchical or peer-based) to preventsaturation of the network by a worm. Specifically, a leap-ahead strategyuses information sharing to facilitate the recognition of emerging wormsand the coordination of defensive action, for instance by spreadingwarnings to network segments not yet affected by the worm. In oneembodiment, the leap-ahead defense strategy implemented in step 106 is apeer-based strategy in which nodes pre-select a set of peers with whichto share worm indicators and in turn are selected by other domains toreceive indicators. In another embodiment, randomly selected groups ofpeers are periodically recomputed to in order to prevent a worm fromlearning a static group structure and attempting to pre-calculate aninfection sequence map that avoids threshold crossing. In such anembodiment, re-computation of the peer group could be performed by eachpeer or by a hierarchical coordinator function.

The method 100 is terminated in step 108.

In this way, the method 100 provides improved containment and control ofworm infections in a network. In particular, by integrating theresource-limiting defense strategy, which can operate autonomously atnetwork domains, in parallel with the leap-ahead defense strategy, whichprovides group-wide protection, better containment is achieved thanvirtually any single known containment strategy. For example,resource-limiting defense strategies tend to effectively slow wormgrowth rate to a degree that makes containment manageable, whileleap-ahead defense strategies tend to prevent worms from reaching fullsaturation potential. Thus, implementation of the resource-limitingdefense strategy should impose a delay on fast-spreading worms that issubstantial enough to allow peer groups operating under the leap-aheaddefense strategy to coordinate and block the worm before it can achievefull saturation potential.

FIG. 2 is a flow diagram illustrating one embodiment of a second method200 for combating malicious code (e.g., worms), according to the presentinvention. In particular, the method 200 is a more detailed embodimentof the method 100, and may be implemented, for example, at a networkdomain gateway that interfaces one or more end nodes to a network. FIG.2 illustrates operation of the method 200 within a single analysisperiod, where the method 200 may be performed iteratively over severalconsecutive analysis periods (e.g., once every second for x seconds, orcontinuously).

The method 200 is initialized at step 202 and proceeds to step 204,where the method 200 initializes an alert level counter and a hold offcounter. The alert level counter tracks the instances of worm alertsbeing generated or received by the method 200. The hold off counter isimplemented to control a stream of resource limitation violations, asdiscussed in greater detail below. In one embodiment, both the alertlevel counter and the hold off counter are initialized to their lowestpossible values in step 204. In one embodiment, this lowest possiblevalue is zero.

In step 206, the method 200 monitors the network, e.g., to detect thepresence of a worm. In step 208, the method 200 determines whether localresource limitations have been violated, e.g., in accordance with aresource-limiting defense strategy. In one embodiment, local resourcelimitations have been violated if any of the end nodes (e.g., usercomputing devices) within a domain managed by the gateway at which themethod 200 is executing have made more than a threshold number ofoutbound connections per unit time. This limitation is motivated by theobservation that the volume of outbound connections relative to a uniquenode is relatively small under most operating conditions, but tends toincrease when the node is infected by a worm.

If the method 200 determines in step 208 that local resource limitationshave been violated, the method 200 proceeds to step 210 and determineswhether the value of the hold off counter, c, is greater than zero (orthe minimum value initialized in step 204). If the method 200 determinesin step 210 that the value of the hold off counter, c, is greater thanzero, the method 200 returns to step 206 and proceeds as described aboveto monitor the domain for worms. In essence, this indicates that themethod 200 is operating inside a hold off period during which additionalalert messages relating to resource limitation violations are suppressedin order to prevent a single end host from causing an entire portion ofthe network to implement defensive action (e.g., by generating a streamof resource limitation violations over multiple periods of time, such asover several seconds), as discussed in greater detail below.

Alternatively, if the method 200 determines in step 208 that the valueof the hold off counter, c, is not greater than zero (e.g., is zero),the method 200 proceeds to step 212 and sends an alert message to apre-selected group of peers (e.g., end nodes, other domain gateways,etc.). In one embodiment, the alert message is sent in accordance with aknown leap-ahead defense strategy. In one embodiment, the group of peerscomprises G-1 nodes, where G is the group size. In further embodiments,the IP addresses of all nodes or domain gateways executing the method200 are arranged in a ring of ascending order, and each node or domaingateway selects the next G-1 addresses to be its group of peers. In thisway, it is substantially ensured that each node or domain gatewayexecuting the method 200 becomes a peer of the same number of nodes ordomain gateways.

In addition, the method 200 increments c by a value, s, indicative ofthe severity of the alert. This value, s, corresponds to a period oftime (e.g., a number of seconds) during which additional alert messagesrelating to resource limitation violations are suppressed in accordancewith a hold off period.

In step 214, the method 200 increments the alert level counter, a. Inone embodiment, the alert level counter, a, is incremented by thesmaller of a+s and α, where α is a predefined threshold alert value.Specifically, a defines the level of corroboration from other peers(e.g., the number of alert messages received from other nodes or domaingateways) that is required to support the adoption of a defensive actionto combat the spread of a worm. For example, a low threshold alertvalue, α, will permit quicker reaction to emerging infections, while alarger threshold alert value, α, will reduce a number of false alarms.In one embodiment, the threshold alert value, α is calculated as:

α=G/4*s   (EQN. 1)

such that the threshold alert value, α, is relative to the peer groupsize, G. The denominator, 4 in EQN. 1, may be adjusted as describedabove to tune the sensitivity of the method 200 to achieve desiredresults.

In step 218, the method 200 determines whether the new value of thealert level counter, a, is equal to the threshold alert value α. If themethod 200 determines in step 216 that the alert level counter, a, isnot equal to the threshold alert value α, the method 200 returns to step206 and proceeds as described above to monitor the domain for worms.

Alternatively, if the method 200 determines in step 216 that the alertlevel counter, a, is equal to the threshold alert value α, the method200 proceeds to step 218 and implements defensive action to preventand/or slow an infection attempt (the spread of the worm). In oneembodiment, this defensive action includes dropping outbound end nodeconnections that exceed a threshold number. In another embodiment,defensive action includes enabling a filter (e.g., an inbound trafficfilter) to selectively block traffic that matches the characteristics ofthe packets associated with the dropped outbound connections. In oneembodiment, this filter is derived dynamically.

Referring back to step 208, if the method 200 determines in step 208that local resource limitations have not been violated, the method 200proceeds to step 220 and determines whether any alert messages have beenreceived. In one embodiment, alert messages are received from anothernode or network domain gateway that has chosen to inform the domaingateway at which the method 200 is executing of any alerts it hasreceived or generated (e.g., by designating the gateway at which themethod 200 is executing as its peer).

If the method 200 determines in step 220 that at least one alert messagehas been received, the method 200 proceeds to step 214 and proceeds asdescribed above in order to determine whether this newly received alertmessage constitutes sufficient corroboration to implement a defensiveaction.

Alternatively, if the method 200 determines in step 220 that no alertmessages have been received, the method 200 proceeds to step 222 anddecrements the alert level counter, a, and the hold off counter, c. Inone embodiment, the alert level counter, a, is decremented to the largerof zero (or the minimum value initialized in step 204) and a−1. In oneembodiment, the hold off counter, c, is decremented to the larger ofzero (or the minimum value initialized in step 204) and c−1.

In step 224, the method 200 determines whether the alert level counter,a, is now greater than zero (or the minimum value initialized in step204). If the method 200 determines that the alert level counter, a, isnot greater than zero (or the minimum value initialized in step 204),the method 200 proceeds to step 226 and halts any defensive action beingtaken to combat the spread of worms. Thus, temporal decay of the alertlevel counter, a, transitions the method 200 from a defensive posture toa normal state when alerts of worm activity are not received orgenerated for a period of time. In another embodiment, nondeterminismmay be introduced in order to combat worms using strategic dormancy toavoid their triggering defensive actions.

The method 200 then proceeds to step 228 and waits for the next analysisperiod to begin. In one embodiment, a new analysis period begins everysecond, such that the method 200 is executed every second. Once the nextanalysis period begins, the method 200 returns to step 206 and proceedsas described above in order to monitor the domain for worms.

Thus, in essence, the method 200 uses threshold violations as recordedby a resource-limiting defense strategy as inputs to a leap-aheadstrategy that relies on peer alerts. This approach thus takes advantageof complementary defensive strategies to maximize the types of wormsthat can be detected and contained (e.g., resource-limiting defensestrategies tend to defend well against fast scan worms but are lesseffective against slower scan worms, while leap-ahead defense strategiestend to defend well against slow scan worms, but are less effectiveagainst faster scan worms). Moreover, the method 200 substantiallyensures that neither a single resource violation or alert, nor acollection of solely local alerts, will trigger defensive action acrossa group of peer networks. Thus, improved worm containment is achievedwith a relatively low rate of false alarms. For some classes of worms,such as some random scanning worms, such an approach offers asubstantially signature-free solution for slowing worm propagation andpreventing full saturation potential from being achieved.

FIG. 3 is a flow diagram illustrating one embodiment of a method 300 fordynamically constructing a filter to contain emerging worms, accordingto the present invention. The method 300 may be implemented, forexample, in accordance with step 218 of the method 200.

The method 300 is initialized at step 302 and proceeds to step 304,where the method 300 receives a resource violation alert from a peer. Inone embodiment, the resource violation alert includes: (1) the peer fromwhich the alert was received; (2) a port/protocol pair, A/B,representing the dominant target port/protocol used by the peer'soutbound packets during the time, t, at which the resource violationalert was triggered; (3) a datagram size, S, representing the averagedatagram sent by the peer during the time, t; and (4) a standarddeviation, D, of datagrams sent by the peer during the time, t.

In step 306, the method 300 constructs a filter, F, such that incomingA/B packets are denied.

In step 308, the method 300 determines whether the standard deviation,D, is less than ε, where ε is an empirically derived value or thresholdthat is globally determined. In particular, a value is derived for csuch that the filter, F, can match packets of similar attributes (e.g.,size), where those attributes may vary within some range of tolerance.If the method 300 determines in step 308 that the standard deviation, D,is less than E, the method 300 proceeds to step 310 and augments thefilter, F, to filter packets of size S±ε. The method 300 then terminatesin step 312 with the filter, F, being thus established.

Alternatively, if the method 300 determines in step 308 that thestandard deviation, D, is not less than ε, the method 300 terminates instep 312.

The establishment of a filter in accordance with the method 300 istherefore based on the observation of some degree of correlation amongpackets at nodes or domain gateways generating resource violationalerts.

FIG. 4 is a high level block diagram of the present method for wormcontainment that is implemented using a general purpose computing device400. In one embodiment, a general purpose computing device 400 comprisesa processor 402, a memory 404, a worm containment module 405 and variousinput/output (I/O) devices 406 such as a display, a keyboard, a mouse, amodem, and the like. In one embodiment, at least one I/O device is astorage device (e.g., a disk drive, an optical disk drive, a floppy diskdrive). It should be understood that the worm containment module 405 canbe implemented as a physical device or subsystem that is coupled to aprocessor through a communication channel.

Alternatively, the worm containment module 405 can be represented by oneor more software applications (or even a combination of software andhardware, e.g., using Application Specific Integrated Circuits (ASIC)),where the software is loaded from a storage medium (e.g., I/O devices406) and operated by the processor 402 in the memory 404 of the generalpurpose computing device 400. Thus, in one embodiment, the wormcontainment module 405 for combating malicious code in networksdescribed herein with reference to the preceding Figures can be storedon a computer readable medium or carrier (e.g., RAM, magnetic or opticaldrive or diskette, and the like).

Thus, the present invention represents a significant advancement in thefield of computer networks. The present invention provides improvedcontainment and control of worm infections in a network by integratingcomplementary defense strategies both to slow the spread of worms and toprevent worms from reaching their full saturation potential within thenetwork.

Although various embodiments which incorporate the teachings of thepresent invention have been shown and described in detail herein, thoseskilled in the art can readily devise many other varied embodiments thatstill incorporate these teachings.

1. A method for combating self-propagating malicious code in a network,the method comprising: detecting a suspected worm within the network;sending an alert message regarding said worm to a group of one or morepeers; and reselecting a membership in said group at a later timeperiod, such that one or more reselected peers in said group at saidlater time period is different from said one or more peers in saidgroup, wherein at least one of: said detecting, said sending, or saidreselecting is performed using a processor.
 2. The method of claim 1,wherein said detecting further comprises: detecting a resourcelimitation exceeded in said network.
 3. The method of claim 2, whereinsaid resource limitation includes a number of outbound connections madeby a node in said network per unit of time.
 4. The method of claim 2,wherein said detecting further comprises: receiving at least one alertmessage from at least one peer, wherein the at least one alert messagecontains information regarding the resource limitation that is exceeded.5. The method of claim 1, further comprising: implementing a defensiveaction when a threshold amount of suspected malicious code activity isobserved.
 6. The method of claim 5, wherein said defensive action ishalted if said suspected malicious code activity is observed to fallbelow said threshold amount.
 7. The method of claim 5, wherein saidthreshold amount is adjustable.
 8. The method of claim 5, wherein saiddefensive action is an enablement of a filter to selectively blocknetwork traffic meeting defined characteristics.
 9. The method of claim8, wherein said defined characteristics correspond to characteristics ofpackets dropped in accordance with said limiting.
 10. The method ofclaim 9, wherein said defined characteristics include at least one of: aport/protocol pair representing a dominant target port/protocol used byoutbound packets during a time at which a violation of a resource usagethreshold is detected, an average datagram size sent during said time atwhich said violation of said resource usage threshold is detected, or astandard deviation of datagrams sent during said time at which saidviolation of said resource usage threshold is detected.
 11. The methodof claim 10, further comprising: denying at least one incoming packetcorresponding to said dominant target port/protocol.
 12. The method ofclaim 5, further comprising: modifying an alert level counter aftersending the alert message, and wherein said implementing a defensiveaction is performed at least partly based on a value of the alert levelcounter.
 13. The method of claim 12, wherein an amount by which thevalue of the alert level counter is modified depends at least partly ona severity of the suspected worm.
 14. The method of claim 1, furthercomprising: receiving one or more alert messages from one or more peersin said network, said one or more alert messages indicating a detectionof said suspected worm.
 15. The method of claim 1, wherein saidreselecting comprises: periodically re-computing said group.
 16. Themethod of claim 1, wherein said sending comprises: determining whetherto suppress or send the alert message depending on a value of a hold offcounter; and modifying the value of the hold off counter after sendingthe alert message, by an amount corresponding to a period of time duringwhich additional alert messages are to be suppressed.
 17. The method ofclaim 16, wherein the amount by which the value of the hold off counteris modified is dependent on a severity of suspected malicious activity.18. The method of claim 1, wherein the group comprises a subset randomlyselected from among a plurality of peers.
 19. The method of claim 1,wherein said reselecting is performed by a hierarchical coordinatorfunction.
 20. The method of claim 1, wherein said reselecting isperformed by said one or more peers.
 21. A computer readable storagedevice containing an executable program for self-propagating combatingmalicious code in a network, the method comprising: detecting asuspected worm within the network; sending an alert message regardingsaid worm to a group of one or more peers; and reselecting a membershipin said group at a later time period, such that one or more reselectedpeers in said group at said later time period is different from said oneor more peers in said group.
 22. Apparatus for combatingself-propagating malicious code in a network, the apparatus comprising:a processor for detecting a suspected worm violation within the network;and an output device for sending an alert message regarding said worm toa group of one or more peers; and a hierarchical coordinator forreselecting a membership in said group at a later time period, such thatone or more reselected peers in said group at said later time period isdifferent from said one or more peers in said group.